Is skipEndpointValidationWhenSigned still an issue?
Brent Putman
putmanb at georgetown.edu
Wed May 25 14:33:26 EDT 2016
On 5/25/16 2:21 PM, Cantor, Scott wrote:
> On 5/25/16, 2:14 PM, "users on behalf of Yavor Yanakiev" <users-bounces at shibboleth.net on behalf of yavor at nyu.edu> wrote:
>
> Their system *is* broken, and they are doubly wrong for requesting a response URL that doesn't match their metadata. There is no way around that fact.
>
Agreed 100%. If one of their customers wants to tell them what they're
technologically doing wrong via-a-vis the ACS, to file a bug, etc: I
think the fundamental problem is that they are mistakenly treating the
ACS URL as if it's dynamic, and that they can append "runtime" query
params. It's not. It has to be a static unchanging URL. If dynamic
per-request info needs to be conveyed, it needs to happen via
RelayState (either by value - embedded directly in the query param - or
by reference).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160525/3d953026/attachment.html>
More information about the users
mailing list